1 // SPDX-License-Identifier: GPL-2.0 2 3 // Copyright (C) 2025 Google LLC. 4 5 //! This module defines the `Process` type, which represents a process using a particular binder 6 //! context. 7 //! 8 //! The `Process` object keeps track of all of the resources that this process owns in the binder 9 //! context. 10 //! 11 //! There is one `Process` object for each binder fd that a process has opened, so processes using 12 //! several binder contexts have several `Process` objects. This ensures that the contexts are 13 //! fully separated. 14 15 use core::mem::take; 16 17 use kernel::{ 18 bindings, 19 cred::Credential, 20 error::Error, 21 fs::file::{self, File}, 22 id_pool::IdPool, 23 list::{List, ListArc, ListArcField, ListLinks}, 24 mm, 25 prelude::*, 26 rbtree::{self, RBTree, RBTreeNode, RBTreeNodeReservation}, 27 seq_file::SeqFile, 28 seq_print, 29 sync::poll::PollTable, 30 sync::{ 31 lock::{spinlock::SpinLockBackend, Guard}, 32 Arc, ArcBorrow, CondVar, CondVarTimeoutResult, Mutex, SpinLock, UniqueArc, 33 }, 34 task::Task, 35 types::ARef, 36 uaccess::{UserSlice, UserSliceReader}, 37 uapi, 38 workqueue::{self, Work}, 39 }; 40 41 use crate::{ 42 allocation::{Allocation, AllocationInfo, NewAllocation}, 43 context::Context, 44 defs::*, 45 error::{BinderError, BinderResult}, 46 node::{CouldNotDeliverCriticalIncrement, CritIncrWrapper, Node, NodeDeath, NodeRef}, 47 page_range::ShrinkablePageRange, 48 range_alloc::{RangeAllocator, ReserveNew, ReserveNewArgs}, 49 stats::BinderStats, 50 thread::{PushWorkRes, Thread}, 51 BinderfsProcFile, DArc, DLArc, DTRWrap, DeliverToRead, 52 }; 53 54 #[path = "freeze.rs"] 55 mod freeze; 56 use self::freeze::{FreezeCookie, FreezeListener}; 57 58 struct Mapping { 59 address: usize, 60 alloc: RangeAllocator<AllocationInfo>, 61 } 62 63 impl Mapping { 64 fn new(address: usize, size: usize) -> Self { 65 Self { 66 address, 67 alloc: RangeAllocator::new(size), 68 } 69 } 70 } 71 72 // bitflags for defer_work. 73 const PROC_DEFER_FLUSH: u8 = 1; 74 const PROC_DEFER_RELEASE: u8 = 2; 75 76 #[derive(Copy, Clone)] 77 pub(crate) enum IsFrozen { 78 Yes, 79 No, 80 InProgress, 81 } 82 83 impl IsFrozen { 84 /// Whether incoming transactions should be rejected due to freeze. 85 pub(crate) fn is_frozen(self) -> bool { 86 match self { 87 IsFrozen::Yes => true, 88 IsFrozen::No => false, 89 IsFrozen::InProgress => true, 90 } 91 } 92 93 /// Whether freeze notifications consider this process frozen. 94 pub(crate) fn is_fully_frozen(self) -> bool { 95 match self { 96 IsFrozen::Yes => true, 97 IsFrozen::No => false, 98 IsFrozen::InProgress => false, 99 } 100 } 101 } 102 103 /// The fields of `Process` protected by the spinlock. 104 pub(crate) struct ProcessInner { 105 is_manager: bool, 106 pub(crate) is_dead: bool, 107 threads: RBTree<i32, Arc<Thread>>, 108 /// INVARIANT: Threads pushed to this list must be owned by this process. 109 ready_threads: List<Thread>, 110 nodes: RBTree<u64, DArc<Node>>, 111 mapping: Option<Mapping>, 112 work: List<DTRWrap<dyn DeliverToRead>>, 113 delivered_deaths: List<DTRWrap<NodeDeath>, 2>, 114 115 /// The number of requested threads that haven't registered yet. 116 requested_thread_count: u32, 117 /// The maximum number of threads used by the process thread pool. 118 max_threads: u32, 119 /// The number of threads the started and registered with the thread pool. 120 started_thread_count: u32, 121 122 /// Bitmap of deferred work to do. 123 defer_work: u8, 124 125 /// Number of transactions to be transmitted before processes in freeze_wait 126 /// are woken up. 127 outstanding_txns: u32, 128 /// Process is frozen and unable to service binder transactions. 129 pub(crate) is_frozen: IsFrozen, 130 /// Process received sync transactions since last frozen. 131 pub(crate) sync_recv: bool, 132 /// Process received async transactions since last frozen. 133 pub(crate) async_recv: bool, 134 pub(crate) binderfs_file: Option<BinderfsProcFile>, 135 /// Check for oneway spam 136 oneway_spam_detection_enabled: bool, 137 } 138 139 impl ProcessInner { 140 fn new() -> Self { 141 Self { 142 is_manager: false, 143 is_dead: false, 144 threads: RBTree::new(), 145 ready_threads: List::new(), 146 mapping: None, 147 nodes: RBTree::new(), 148 work: List::new(), 149 delivered_deaths: List::new(), 150 requested_thread_count: 0, 151 max_threads: 0, 152 started_thread_count: 0, 153 defer_work: 0, 154 outstanding_txns: 0, 155 is_frozen: IsFrozen::No, 156 sync_recv: false, 157 async_recv: false, 158 binderfs_file: None, 159 oneway_spam_detection_enabled: false, 160 } 161 } 162 163 /// Schedule the work item for execution on this process. 164 /// 165 /// If any threads are ready for work, then the work item is given directly to that thread and 166 /// it is woken up. Otherwise, it is pushed to the process work list. 167 /// 168 /// This call can fail only if the process is dead. In this case, the work item is returned to 169 /// the caller so that the caller can drop it after releasing the inner process lock. This is 170 /// necessary since the destructor of `Transaction` will take locks that can't necessarily be 171 /// taken while holding the inner process lock. 172 pub(crate) fn push_work( 173 &mut self, 174 work: DLArc<dyn DeliverToRead>, 175 ) -> Result<(), (BinderError, DLArc<dyn DeliverToRead>)> { 176 // Try to find a ready thread to which to push the work. 177 if let Some(thread) = self.ready_threads.pop_front() { 178 // Push to thread while holding state lock. This prevents the thread from giving up 179 // (for example, because of a signal) when we're about to deliver work. 180 match thread.push_work(work) { 181 PushWorkRes::Ok => Ok(()), 182 PushWorkRes::FailedDead(work) => Err((BinderError::new_dead(), work)), 183 } 184 } else if self.is_dead { 185 Err((BinderError::new_dead(), work)) 186 } else { 187 let sync = work.should_sync_wakeup(); 188 189 // Didn't find a thread waiting for proc work; this can happen 190 // in two scenarios: 191 // 1. All threads are busy handling transactions 192 // In that case, one of those threads should call back into 193 // the kernel driver soon and pick up this work. 194 // 2. Threads are using the (e)poll interface, in which case 195 // they may be blocked on the waitqueue without having been 196 // added to waiting_threads. For this case, we just iterate 197 // over all threads not handling transaction work, and 198 // wake them all up. We wake all because we don't know whether 199 // a thread that called into (e)poll is handling non-binder 200 // work currently. 201 self.work.push_back(work); 202 203 // Wake up polling threads, if any. 204 for thread in self.threads.values() { 205 thread.notify_if_poll_ready(sync); 206 } 207 208 Ok(()) 209 } 210 } 211 212 pub(crate) fn remove_node(&mut self, ptr: u64) { 213 self.nodes.remove(&ptr); 214 } 215 216 /// Updates the reference count on the given node. 217 pub(crate) fn update_node_refcount( 218 &mut self, 219 node: &DArc<Node>, 220 inc: bool, 221 strong: bool, 222 count: usize, 223 othread: Option<&Thread>, 224 ) { 225 let push = node.update_refcount_locked(inc, strong, count, self); 226 227 // If we decided that we need to push work, push either to the process or to a thread if 228 // one is specified. 229 if let Some(node) = push { 230 if let Some(thread) = othread { 231 thread.push_work_deferred(node); 232 } else { 233 let _ = self.push_work(node); 234 // Nothing to do: `push_work` may fail if the process is dead, but that's ok as in 235 // that case, it doesn't care about the notification. 236 } 237 } 238 } 239 240 pub(crate) fn new_node_ref( 241 &mut self, 242 node: DArc<Node>, 243 strong: bool, 244 thread: Option<&Thread>, 245 ) -> NodeRef { 246 self.update_node_refcount(&node, true, strong, 1, thread); 247 let strong_count = if strong { 1 } else { 0 }; 248 NodeRef::new(node, strong_count, 1 - strong_count) 249 } 250 251 pub(crate) fn new_node_ref_with_thread( 252 &mut self, 253 node: DArc<Node>, 254 strong: bool, 255 thread: &Thread, 256 wrapper: Option<CritIncrWrapper>, 257 ) -> Result<NodeRef, CouldNotDeliverCriticalIncrement> { 258 let push = match wrapper { 259 None => node 260 .incr_refcount_allow_zero2one(strong, self)? 261 .map(|node| node as _), 262 Some(wrapper) => node.incr_refcount_allow_zero2one_with_wrapper(strong, wrapper, self), 263 }; 264 if let Some(node) = push { 265 thread.push_work_deferred(node); 266 } 267 let strong_count = if strong { 1 } else { 0 }; 268 Ok(NodeRef::new(node, strong_count, 1 - strong_count)) 269 } 270 271 /// Returns an existing node with the given pointer and cookie, if one exists. 272 /// 273 /// Returns an error if a node with the given pointer but a different cookie exists. 274 fn get_existing_node(&self, ptr: u64, cookie: u64) -> Result<Option<DArc<Node>>> { 275 match self.nodes.get(&ptr) { 276 None => Ok(None), 277 Some(node) => { 278 let (_, node_cookie) = node.get_id(); 279 if node_cookie == cookie { 280 Ok(Some(node.clone())) 281 } else { 282 Err(EINVAL) 283 } 284 } 285 } 286 } 287 288 fn register_thread(&mut self) -> bool { 289 if self.requested_thread_count == 0 { 290 return false; 291 } 292 293 self.requested_thread_count -= 1; 294 self.started_thread_count += 1; 295 true 296 } 297 298 /// Finds a delivered death notification with the given cookie, removes it from the thread's 299 /// delivered list, and returns it. 300 fn pull_delivered_death(&mut self, cookie: u64) -> Option<DArc<NodeDeath>> { 301 let mut cursor = self.delivered_deaths.cursor_front(); 302 while let Some(next) = cursor.peek_next() { 303 if next.cookie == cookie { 304 return Some(next.remove().into_arc()); 305 } 306 cursor.move_next(); 307 } 308 None 309 } 310 311 pub(crate) fn death_delivered(&mut self, death: DArc<NodeDeath>) { 312 if let Some(death) = ListArc::try_from_arc_or_drop(death) { 313 self.delivered_deaths.push_back(death); 314 } else { 315 pr_warn!("Notification added to `delivered_deaths` twice."); 316 } 317 } 318 319 pub(crate) fn add_outstanding_txn(&mut self) { 320 self.outstanding_txns += 1; 321 } 322 323 fn txns_pending_locked(&self) -> bool { 324 if self.outstanding_txns > 0 { 325 return true; 326 } 327 for thread in self.threads.values() { 328 if thread.has_current_transaction() { 329 return true; 330 } 331 } 332 false 333 } 334 } 335 336 /// Used to keep track of a node that this process has a handle to. 337 #[pin_data] 338 pub(crate) struct NodeRefInfo { 339 debug_id: usize, 340 /// The refcount that this process owns to the node. 341 node_ref: ListArcField<NodeRef, { Self::LIST_PROC }>, 342 death: ListArcField<Option<DArc<NodeDeath>>, { Self::LIST_PROC }>, 343 /// Cookie of the active freeze listener for this node. 344 freeze: ListArcField<Option<FreezeCookie>, { Self::LIST_PROC }>, 345 /// Used to store this `NodeRefInfo` in the node's `refs` list. 346 #[pin] 347 links: ListLinks<{ Self::LIST_NODE }>, 348 /// The handle for this `NodeRefInfo`. 349 handle: u32, 350 /// The process that has a handle to the node. 351 pub(crate) process: Arc<Process>, 352 } 353 354 impl NodeRefInfo { 355 /// The id used for the `Node::refs` list. 356 pub(crate) const LIST_NODE: u64 = 0x2da16350fb724a10; 357 /// The id used for the `ListArc` in `ProcessNodeRefs`. 358 const LIST_PROC: u64 = 0xd703a5263dcc8650; 359 360 fn new(node_ref: NodeRef, handle: u32, process: Arc<Process>) -> impl PinInit<Self> { 361 pin_init!(Self { 362 debug_id: super::next_debug_id(), 363 node_ref: ListArcField::new(node_ref), 364 death: ListArcField::new(None), 365 freeze: ListArcField::new(None), 366 links <- ListLinks::new(), 367 handle, 368 process, 369 }) 370 } 371 372 kernel::list::define_list_arc_field_getter! { 373 pub(crate) fn death(&mut self<{Self::LIST_PROC}>) -> &mut Option<DArc<NodeDeath>> { death } 374 pub(crate) fn freeze(&mut self<{Self::LIST_PROC}>) -> &mut Option<FreezeCookie> { freeze } 375 pub(crate) fn node_ref(&mut self<{Self::LIST_PROC}>) -> &mut NodeRef { node_ref } 376 pub(crate) fn node_ref2(&self<{Self::LIST_PROC}>) -> &NodeRef { node_ref } 377 } 378 } 379 380 kernel::list::impl_list_arc_safe! { 381 impl ListArcSafe<{Self::LIST_NODE}> for NodeRefInfo { untracked; } 382 impl ListArcSafe<{Self::LIST_PROC}> for NodeRefInfo { untracked; } 383 } 384 kernel::list::impl_list_item! { 385 impl ListItem<{Self::LIST_NODE}> for NodeRefInfo { 386 using ListLinks { self.links }; 387 } 388 } 389 390 /// Keeps track of references this process has to nodes owned by other processes. 391 /// 392 /// TODO: Currently, the rbtree requires two allocations per node reference, and two tree 393 /// traversals to look up a node by `Node::global_id`. Once the rbtree is more powerful, these 394 /// extra costs should be eliminated. 395 struct ProcessNodeRefs { 396 /// Used to look up nodes using the 32-bit id that this process knows it by. 397 by_handle: RBTree<u32, ListArc<NodeRefInfo, { NodeRefInfo::LIST_PROC }>>, 398 /// Used to quickly find unused ids in `by_handle`. 399 handle_is_present: IdPool, 400 /// Used to look up nodes without knowing their local 32-bit id. The usize is the address of 401 /// the underlying `Node` struct as returned by `Node::global_id`. 402 by_node: RBTree<usize, u32>, 403 /// Used to look up a `FreezeListener` by cookie. 404 /// 405 /// There might be multiple freeze listeners for the same node, but at most one of them is 406 /// active. 407 freeze_listeners: RBTree<FreezeCookie, FreezeListener>, 408 } 409 410 impl ProcessNodeRefs { 411 fn new() -> Self { 412 Self { 413 by_handle: RBTree::new(), 414 handle_is_present: IdPool::new(), 415 by_node: RBTree::new(), 416 freeze_listeners: RBTree::new(), 417 } 418 } 419 } 420 421 use core::mem::offset_of; 422 use kernel::bindings::rb_process_layout; 423 pub(crate) const PROCESS_LAYOUT: rb_process_layout = rb_process_layout { 424 arc_offset: Arc::<Process>::DATA_OFFSET, 425 task: offset_of!(Process, task), 426 }; 427 428 /// A process using binder. 429 /// 430 /// Strictly speaking, there can be multiple of these per process. There is one for each binder fd 431 /// that a process has opened, so processes using several binder contexts have several `Process` 432 /// objects. This ensures that the contexts are fully separated. 433 #[pin_data] 434 pub(crate) struct Process { 435 pub(crate) ctx: Arc<Context>, 436 437 // The task leader (process). 438 pub(crate) task: ARef<Task>, 439 440 // Credential associated with file when `Process` is created. 441 pub(crate) cred: ARef<Credential>, 442 443 #[pin] 444 pub(crate) inner: SpinLock<ProcessInner>, 445 446 #[pin] 447 pub(crate) pages: ShrinkablePageRange, 448 449 // Waitqueue of processes waiting for all outstanding transactions to be 450 // processed. 451 #[pin] 452 freeze_wait: CondVar, 453 454 // Node references are in a different lock to avoid recursive acquisition when 455 // incrementing/decrementing a node in another process. 456 #[pin] 457 node_refs: Mutex<ProcessNodeRefs>, 458 459 // Work node for deferred work item. 460 #[pin] 461 defer_work: Work<Process>, 462 463 // Links for process list in Context. 464 #[pin] 465 links: ListLinks, 466 467 pub(crate) stats: BinderStats, 468 } 469 470 kernel::impl_has_work! { 471 impl HasWork<Process> for Process { self.defer_work } 472 } 473 474 kernel::list::impl_list_arc_safe! { 475 impl ListArcSafe<0> for Process { untracked; } 476 } 477 kernel::list::impl_list_item! { 478 impl ListItem<0> for Process { 479 using ListLinks { self.links }; 480 } 481 } 482 483 impl workqueue::WorkItem for Process { 484 type Pointer = Arc<Process>; 485 486 fn run(me: Arc<Self>) { 487 let defer; 488 { 489 let mut inner = me.inner.lock(); 490 defer = inner.defer_work; 491 inner.defer_work = 0; 492 } 493 494 if defer & PROC_DEFER_FLUSH != 0 { 495 me.deferred_flush(); 496 } 497 if defer & PROC_DEFER_RELEASE != 0 { 498 me.deferred_release(); 499 } 500 } 501 } 502 503 impl Process { 504 fn new(ctx: Arc<Context>, cred: ARef<Credential>) -> Result<Arc<Self>> { 505 let current = kernel::current!(); 506 let list_process = ListArc::pin_init::<Error>( 507 try_pin_init!(Process { 508 ctx, 509 cred, 510 inner <- kernel::new_spinlock!(ProcessInner::new(), "Process::inner"), 511 pages <- ShrinkablePageRange::new(&super::BINDER_SHRINKER), 512 node_refs <- kernel::new_mutex!(ProcessNodeRefs::new(), "Process::node_refs"), 513 freeze_wait <- kernel::new_condvar!("Process::freeze_wait"), 514 task: current.group_leader().into(), 515 defer_work <- kernel::new_work!("Process::defer_work"), 516 links <- ListLinks::new(), 517 stats: BinderStats::new(), 518 }), 519 GFP_KERNEL, 520 )?; 521 522 let process = list_process.clone_arc(); 523 process.ctx.register_process(list_process); 524 525 Ok(process) 526 } 527 528 pub(crate) fn pid_in_current_ns(&self) -> kernel::task::Pid { 529 self.task.tgid_nr_ns(None) 530 } 531 532 #[inline(never)] 533 pub(crate) fn debug_print_stats(&self, m: &SeqFile, ctx: &Context) -> Result<()> { 534 seq_print!(m, "proc {}\n", self.pid_in_current_ns()); 535 seq_print!(m, "context {}\n", &*ctx.name); 536 537 let inner = self.inner.lock(); 538 seq_print!(m, " threads: {}\n", inner.threads.iter().count()); 539 seq_print!( 540 m, 541 " requested threads: {}+{}/{}\n", 542 inner.requested_thread_count, 543 inner.started_thread_count, 544 inner.max_threads, 545 ); 546 if let Some(mapping) = &inner.mapping { 547 seq_print!( 548 m, 549 " free oneway space: {}\n", 550 mapping.alloc.free_oneway_space() 551 ); 552 seq_print!(m, " buffers: {}\n", mapping.alloc.count_buffers()); 553 } 554 seq_print!( 555 m, 556 " outstanding transactions: {}\n", 557 inner.outstanding_txns 558 ); 559 seq_print!(m, " nodes: {}\n", inner.nodes.iter().count()); 560 drop(inner); 561 562 { 563 let mut refs = self.node_refs.lock(); 564 let (mut count, mut weak, mut strong) = (0, 0, 0); 565 for r in refs.by_handle.values_mut() { 566 let node_ref = r.node_ref(); 567 let (nstrong, nweak) = node_ref.get_count(); 568 count += 1; 569 weak += nweak; 570 strong += nstrong; 571 } 572 seq_print!(m, " refs: {count} s {strong} w {weak}\n"); 573 } 574 575 self.stats.debug_print(" ", m); 576 577 Ok(()) 578 } 579 580 #[inline(never)] 581 pub(crate) fn debug_print(&self, m: &SeqFile, ctx: &Context, print_all: bool) -> Result<()> { 582 seq_print!(m, "proc {}\n", self.pid_in_current_ns()); 583 seq_print!(m, "context {}\n", &*ctx.name); 584 585 let mut all_threads = KVec::new(); 586 let mut all_nodes = KVec::new(); 587 loop { 588 let inner = self.inner.lock(); 589 let num_threads = inner.threads.iter().count(); 590 let num_nodes = inner.nodes.iter().count(); 591 592 if all_threads.capacity() < num_threads || all_nodes.capacity() < num_nodes { 593 drop(inner); 594 all_threads.reserve(num_threads, GFP_KERNEL)?; 595 all_nodes.reserve(num_nodes, GFP_KERNEL)?; 596 continue; 597 } 598 599 for thread in inner.threads.values() { 600 assert!(all_threads.len() < all_threads.capacity()); 601 let _ = all_threads.push(thread.clone(), GFP_ATOMIC); 602 } 603 604 for node in inner.nodes.values() { 605 assert!(all_nodes.len() < all_nodes.capacity()); 606 let _ = all_nodes.push(node.clone(), GFP_ATOMIC); 607 } 608 609 break; 610 } 611 612 for thread in all_threads { 613 thread.debug_print(m, print_all)?; 614 } 615 616 let mut inner = self.inner.lock(); 617 for node in all_nodes { 618 if print_all || node.has_oneway_transaction(&mut inner) { 619 node.full_debug_print(m, &mut inner)?; 620 } 621 } 622 drop(inner); 623 624 if print_all { 625 let mut refs = self.node_refs.lock(); 626 for r in refs.by_handle.values_mut() { 627 let node_ref = r.node_ref(); 628 let dead = node_ref.node.owner.inner.lock().is_dead; 629 let (strong, weak) = node_ref.get_count(); 630 let debug_id = node_ref.node.debug_id; 631 632 seq_print!( 633 m, 634 " ref {}: desc {} {}node {debug_id} s {strong} w {weak}", 635 r.debug_id, 636 r.handle, 637 if dead { "dead " } else { "" } 638 ); 639 } 640 } 641 642 let inner = self.inner.lock(); 643 for work in &inner.work { 644 work.debug_print(m, " ", " pending transaction ")?; 645 } 646 for _death in &inner.delivered_deaths { 647 seq_print!(m, " has delivered dead binder\n"); 648 } 649 if let Some(mapping) = &inner.mapping { 650 mapping.alloc.debug_print(m)?; 651 } 652 drop(inner); 653 654 Ok(()) 655 } 656 657 /// Attempts to fetch a work item from the process queue. 658 pub(crate) fn get_work(&self) -> Option<DLArc<dyn DeliverToRead>> { 659 self.inner.lock().work.pop_front() 660 } 661 662 /// Attempts to fetch a work item from the process queue. If none is available, it registers the 663 /// given thread as ready to receive work directly. 664 /// 665 /// This must only be called when the thread is not participating in a transaction chain; when 666 /// it is, work will always be delivered directly to the thread (and not through the process 667 /// queue). 668 pub(crate) fn get_work_or_register<'a>( 669 &'a self, 670 thread: &'a Arc<Thread>, 671 ) -> GetWorkOrRegister<'a> { 672 let mut inner = self.inner.lock(); 673 // Try to get work from the process queue. 674 if let Some(work) = inner.work.pop_front() { 675 return GetWorkOrRegister::Work(work); 676 } 677 678 // Register the thread as ready. 679 GetWorkOrRegister::Register(Registration::new(thread, &mut inner)) 680 } 681 682 fn get_current_thread(self: ArcBorrow<'_, Self>) -> Result<Arc<Thread>> { 683 let id = { 684 let current = kernel::current!(); 685 if !core::ptr::eq(current.group_leader(), &*self.task) { 686 pr_err!("get_current_thread was called from the wrong process."); 687 return Err(EINVAL); 688 } 689 current.pid() 690 }; 691 692 { 693 let inner = self.inner.lock(); 694 if let Some(thread) = inner.threads.get(&id) { 695 return Ok(thread.clone()); 696 } 697 } 698 699 // Allocate a new `Thread` without holding any locks. 700 let reservation = RBTreeNodeReservation::new(GFP_KERNEL)?; 701 let ta: Arc<Thread> = Thread::new(id, self.into())?; 702 703 let mut inner = self.inner.lock(); 704 match inner.threads.entry(id) { 705 rbtree::Entry::Vacant(entry) => { 706 entry.insert(ta.clone(), reservation); 707 Ok(ta) 708 } 709 rbtree::Entry::Occupied(_entry) => { 710 pr_err!("Cannot create two threads with the same id."); 711 Err(EINVAL) 712 } 713 } 714 } 715 716 pub(crate) fn push_work(&self, work: DLArc<dyn DeliverToRead>) -> BinderResult { 717 // If push_work fails, drop the work item outside the lock. 718 let res = self.inner.lock().push_work(work); 719 match res { 720 Ok(()) => Ok(()), 721 Err((err, work)) => { 722 drop(work); 723 Err(err) 724 } 725 } 726 } 727 728 fn set_as_manager( 729 self: ArcBorrow<'_, Self>, 730 info: Option<FlatBinderObject>, 731 thread: &Thread, 732 ) -> Result { 733 let (ptr, cookie, flags) = if let Some(obj) = info { 734 ( 735 // SAFETY: The object type for this ioctl is implicitly `BINDER_TYPE_BINDER`, so it 736 // is safe to access the `binder` field. 737 unsafe { obj.__bindgen_anon_1.binder }, 738 obj.cookie, 739 obj.flags, 740 ) 741 } else { 742 (0, 0, 0) 743 }; 744 let node_ref = self.get_node(ptr, cookie, flags as _, true, thread)?; 745 let node = node_ref.node.clone(); 746 self.ctx.set_manager_node(node_ref)?; 747 self.inner.lock().is_manager = true; 748 749 // Force the state of the node to prevent the delivery of acquire/increfs. 750 let mut owner_inner = node.owner.inner.lock(); 751 node.force_has_count(&mut owner_inner); 752 Ok(()) 753 } 754 755 fn get_node_inner( 756 self: ArcBorrow<'_, Self>, 757 ptr: u64, 758 cookie: u64, 759 flags: u32, 760 strong: bool, 761 thread: &Thread, 762 wrapper: Option<CritIncrWrapper>, 763 ) -> Result<Result<NodeRef, CouldNotDeliverCriticalIncrement>> { 764 // Try to find an existing node. 765 { 766 let mut inner = self.inner.lock(); 767 if let Some(node) = inner.get_existing_node(ptr, cookie)? { 768 return Ok(inner.new_node_ref_with_thread(node, strong, thread, wrapper)); 769 } 770 } 771 772 // Allocate the node before reacquiring the lock. 773 let node = DTRWrap::arc_pin_init(Node::new(ptr, cookie, flags, self.into()))?.into_arc(); 774 let rbnode = RBTreeNode::new(ptr, node.clone(), GFP_KERNEL)?; 775 let mut inner = self.inner.lock(); 776 if let Some(node) = inner.get_existing_node(ptr, cookie)? { 777 return Ok(inner.new_node_ref_with_thread(node, strong, thread, wrapper)); 778 } 779 780 inner.nodes.insert(rbnode); 781 // This can only fail if someone has already pushed the node to a list, but we just created 782 // it and still hold the lock, so it can't fail right now. 783 let node_ref = inner 784 .new_node_ref_with_thread(node, strong, thread, wrapper) 785 .unwrap(); 786 787 Ok(Ok(node_ref)) 788 } 789 790 pub(crate) fn get_node( 791 self: ArcBorrow<'_, Self>, 792 ptr: u64, 793 cookie: u64, 794 flags: u32, 795 strong: bool, 796 thread: &Thread, 797 ) -> Result<NodeRef> { 798 let mut wrapper = None; 799 for _ in 0..2 { 800 match self.get_node_inner(ptr, cookie, flags, strong, thread, wrapper) { 801 Err(err) => return Err(err), 802 Ok(Ok(node_ref)) => return Ok(node_ref), 803 Ok(Err(CouldNotDeliverCriticalIncrement)) => { 804 wrapper = Some(CritIncrWrapper::new()?); 805 } 806 } 807 } 808 // We only get a `CouldNotDeliverCriticalIncrement` error if `wrapper` is `None`, so the 809 // loop should run at most twice. 810 unreachable!() 811 } 812 813 pub(crate) fn insert_or_update_handle( 814 self: ArcBorrow<'_, Process>, 815 node_ref: NodeRef, 816 is_manager: bool, 817 ) -> Result<u32> { 818 { 819 let mut refs = self.node_refs.lock(); 820 821 // Do a lookup before inserting. 822 if let Some(handle_ref) = refs.by_node.get(&node_ref.node.global_id()) { 823 let handle = *handle_ref; 824 let info = refs.by_handle.get_mut(&handle).unwrap(); 825 info.node_ref().absorb(node_ref); 826 return Ok(handle); 827 } 828 } 829 830 // Reserve memory for tree nodes. 831 let reserve1 = RBTreeNodeReservation::new(GFP_KERNEL)?; 832 let reserve2 = RBTreeNodeReservation::new(GFP_KERNEL)?; 833 let info = UniqueArc::new_uninit(GFP_KERNEL)?; 834 835 let mut refs_lock = self.node_refs.lock(); 836 let mut refs = &mut *refs_lock; 837 838 let (unused_id, by_handle_slot) = loop { 839 // ID 0 may only be used by the manager. 840 let start = if is_manager { 0 } else { 1 }; 841 842 if let Some(res) = refs.handle_is_present.find_unused_id(start) { 843 match refs.by_handle.entry(res.as_u32()) { 844 rbtree::Entry::Vacant(entry) => break (res, entry), 845 rbtree::Entry::Occupied(_) => { 846 pr_err!("Detected mismatch between handle_is_present and by_handle"); 847 res.acquire(); 848 kernel::warn_on!(true); 849 return Err(EINVAL); 850 } 851 } 852 } 853 854 let grow_request = refs.handle_is_present.grow_request().ok_or(ENOMEM)?; 855 drop(refs_lock); 856 let resizer = grow_request.realloc(GFP_KERNEL)?; 857 refs_lock = self.node_refs.lock(); 858 refs = &mut *refs_lock; 859 refs.handle_is_present.grow(resizer); 860 }; 861 let handle = unused_id.as_u32(); 862 863 // Do a lookup again as node may have been inserted before the lock was reacquired. 864 if let Some(handle_ref) = refs.by_node.get(&node_ref.node.global_id()) { 865 let handle = *handle_ref; 866 let info = refs.by_handle.get_mut(&handle).unwrap(); 867 info.node_ref().absorb(node_ref); 868 return Ok(handle); 869 } 870 871 let gid = node_ref.node.global_id(); 872 let (info_proc, info_node) = { 873 let info_init = NodeRefInfo::new(node_ref, handle, self.into()); 874 match info.pin_init_with(info_init) { 875 Ok(info) => ListArc::pair_from_pin_unique(info), 876 // error is infallible 877 Err(err) => match err {}, 878 } 879 }; 880 881 // Ensure the process is still alive while we insert a new reference. 882 // 883 // This releases the lock before inserting the nodes, but since `is_dead` is set as the 884 // first thing in `deferred_release`, process cleanup will not miss the items inserted into 885 // `refs` below. 886 if self.inner.lock().is_dead { 887 return Err(ESRCH); 888 } 889 890 // SAFETY: `info_proc` and `info_node` reference the same node, so we are inserting 891 // `info_node` into the right node's `refs` list. 892 unsafe { info_proc.node_ref2().node.insert_node_info(info_node) }; 893 894 refs.by_node.insert(reserve1.into_node(gid, handle)); 895 by_handle_slot.insert(info_proc, reserve2); 896 unused_id.acquire(); 897 Ok(handle) 898 } 899 900 pub(crate) fn get_transaction_node(&self, handle: u32) -> BinderResult<NodeRef> { 901 // When handle is zero, try to get the context manager. 902 if handle == 0 { 903 Ok(self.ctx.get_manager_node(true)?) 904 } else { 905 Ok(self.get_node_from_handle(handle, true)?) 906 } 907 } 908 909 pub(crate) fn get_node_from_handle(&self, handle: u32, strong: bool) -> Result<NodeRef> { 910 self.node_refs 911 .lock() 912 .by_handle 913 .get_mut(&handle) 914 .ok_or(ENOENT)? 915 .node_ref() 916 .clone(strong) 917 } 918 919 pub(crate) fn remove_from_delivered_deaths(&self, death: &DArc<NodeDeath>) { 920 let mut inner = self.inner.lock(); 921 // SAFETY: By the invariant on the `delivered_links` field, this is the right linked list. 922 let removed = unsafe { inner.delivered_deaths.remove(death) }; 923 drop(inner); 924 drop(removed); 925 } 926 927 pub(crate) fn update_ref( 928 self: ArcBorrow<'_, Process>, 929 handle: u32, 930 inc: bool, 931 strong: bool, 932 ) -> Result { 933 if inc && handle == 0 { 934 if let Ok(node_ref) = self.ctx.get_manager_node(strong) { 935 if core::ptr::eq(&*self, &*node_ref.node.owner) { 936 return Err(EINVAL); 937 } 938 let _ = self.insert_or_update_handle(node_ref, true); 939 return Ok(()); 940 } 941 } 942 943 // To preserve original binder behaviour, we only fail requests where the manager tries to 944 // increment references on itself. 945 let mut refs = self.node_refs.lock(); 946 if let Some(info) = refs.by_handle.get_mut(&handle) { 947 if info.node_ref().update(inc, strong) { 948 // Clean up death if there is one attached to this node reference. 949 if let Some(death) = info.death().take() { 950 death.set_cleared(true); 951 self.remove_from_delivered_deaths(&death); 952 } 953 954 // Remove reference from process tables, and from the node's `refs` list. 955 956 // SAFETY: We are removing the `NodeRefInfo` from the right node. 957 unsafe { info.node_ref2().node.remove_node_info(info) }; 958 959 let id = info.node_ref().node.global_id(); 960 refs.by_handle.remove(&handle); 961 refs.by_node.remove(&id); 962 refs.handle_is_present.release_id(handle as usize); 963 964 if let Some(shrink) = refs.handle_is_present.shrink_request() { 965 drop(refs); 966 // This intentionally ignores allocation failures. 967 if let Ok(new_bitmap) = shrink.realloc(GFP_KERNEL) { 968 refs = self.node_refs.lock(); 969 refs.handle_is_present.shrink(new_bitmap); 970 } 971 } 972 } 973 } else { 974 // All refs are cleared in process exit, so this warning is expected in that case. 975 if !self.inner.lock().is_dead { 976 pr_warn!("{}: no such ref {handle}\n", self.pid_in_current_ns()); 977 } 978 } 979 Ok(()) 980 } 981 982 /// Decrements the refcount of the given node, if one exists. 983 pub(crate) fn update_node(&self, ptr: u64, cookie: u64, strong: bool) { 984 let mut inner = self.inner.lock(); 985 if let Ok(Some(node)) = inner.get_existing_node(ptr, cookie) { 986 inner.update_node_refcount(&node, false, strong, 1, None); 987 } 988 } 989 990 pub(crate) fn inc_ref_done(&self, reader: &mut UserSliceReader, strong: bool) -> Result { 991 let ptr = reader.read::<u64>()?; 992 let cookie = reader.read::<u64>()?; 993 let mut inner = self.inner.lock(); 994 if let Ok(Some(node)) = inner.get_existing_node(ptr, cookie) { 995 if let Some(node) = node.inc_ref_done_locked(strong, &mut inner) { 996 // This only fails if the process is dead. 997 let _ = inner.push_work(node); 998 } 999 } 1000 Ok(()) 1001 } 1002 1003 pub(crate) fn buffer_alloc( 1004 self: &Arc<Self>, 1005 debug_id: usize, 1006 size: usize, 1007 is_oneway: bool, 1008 from_pid: i32, 1009 ) -> BinderResult<NewAllocation> { 1010 use kernel::page::PAGE_SIZE; 1011 1012 let mut reserve_new_args = ReserveNewArgs { 1013 debug_id, 1014 size, 1015 is_oneway, 1016 pid: from_pid, 1017 ..ReserveNewArgs::default() 1018 }; 1019 1020 let (new_alloc, addr) = loop { 1021 let mut inner = self.inner.lock(); 1022 let mapping = inner.mapping.as_mut().ok_or_else(BinderError::new_dead)?; 1023 let alloc_request = match mapping.alloc.reserve_new(reserve_new_args)? { 1024 ReserveNew::Success(new_alloc) => break (new_alloc, mapping.address), 1025 ReserveNew::NeedAlloc(request) => request, 1026 }; 1027 drop(inner); 1028 // We need to allocate memory and then call `reserve_new` again. 1029 reserve_new_args = alloc_request.make_alloc()?; 1030 }; 1031 1032 let res = Allocation::new( 1033 self.clone(), 1034 debug_id, 1035 new_alloc.offset, 1036 size, 1037 addr + new_alloc.offset, 1038 new_alloc.oneway_spam_detected, 1039 ); 1040 1041 // This allocation will be marked as in use until the `Allocation` is used to free it. 1042 // 1043 // This method can't be called while holding a lock, so we release the lock first. It's 1044 // okay for several threads to use the method on the same index at the same time. In that 1045 // case, one of the calls will allocate the given page (if missing), and the other call 1046 // will wait for the other call to finish allocating the page. 1047 // 1048 // We will not call `stop_using_range` in parallel with this on the same page, because the 1049 // allocation can only be removed via the destructor of the `Allocation` object that we 1050 // currently own. 1051 match self.pages.use_range( 1052 new_alloc.offset / PAGE_SIZE, 1053 (new_alloc.offset + size).div_ceil(PAGE_SIZE), 1054 ) { 1055 Ok(()) => {} 1056 Err(err) => { 1057 pr_warn!("use_range failure {:?}", err); 1058 return Err(err.into()); 1059 } 1060 } 1061 1062 Ok(NewAllocation(res)) 1063 } 1064 1065 pub(crate) fn buffer_get(self: &Arc<Self>, ptr: usize) -> Option<Allocation> { 1066 let mut inner = self.inner.lock(); 1067 let mapping = inner.mapping.as_mut()?; 1068 let offset = ptr.checked_sub(mapping.address)?; 1069 let (size, debug_id, odata) = mapping.alloc.reserve_existing(offset).ok()?; 1070 let mut alloc = Allocation::new(self.clone(), debug_id, offset, size, ptr, false); 1071 if let Some(data) = odata { 1072 alloc.set_info(data); 1073 } 1074 Some(alloc) 1075 } 1076 1077 pub(crate) fn buffer_raw_free(&self, ptr: usize) { 1078 let mut inner = self.inner.lock(); 1079 if let Some(ref mut mapping) = &mut inner.mapping { 1080 let offset = match ptr.checked_sub(mapping.address) { 1081 Some(offset) => offset, 1082 None => return, 1083 }; 1084 1085 let freed_range = match mapping.alloc.reservation_abort(offset) { 1086 Ok(freed_range) => freed_range, 1087 Err(_) => { 1088 pr_warn!( 1089 "Pointer {:x} failed to free, base = {:x}\n", 1090 ptr, 1091 mapping.address 1092 ); 1093 return; 1094 } 1095 }; 1096 1097 // No more allocations in this range. Mark them as not in use. 1098 // 1099 // Must be done before we release the lock so that `use_range` is not used on these 1100 // indices until `stop_using_range` returns. 1101 self.pages 1102 .stop_using_range(freed_range.start_page_idx, freed_range.end_page_idx); 1103 } 1104 } 1105 1106 pub(crate) fn buffer_make_freeable(&self, offset: usize, mut data: Option<AllocationInfo>) { 1107 let mut inner = self.inner.lock(); 1108 if let Some(ref mut mapping) = &mut inner.mapping { 1109 if mapping.alloc.reservation_commit(offset, &mut data).is_err() { 1110 pr_warn!("Offset {} failed to be marked freeable\n", offset); 1111 } 1112 } 1113 } 1114 1115 fn create_mapping(&self, vma: &mm::virt::VmaNew) -> Result { 1116 use kernel::page::PAGE_SIZE; 1117 let size = usize::min(vma.end() - vma.start(), bindings::SZ_4M as usize); 1118 let mapping = Mapping::new(vma.start(), size); 1119 let page_count = self.pages.register_with_vma(vma)?; 1120 if page_count * PAGE_SIZE != size { 1121 return Err(EINVAL); 1122 } 1123 1124 // Save range allocator for later. 1125 self.inner.lock().mapping = Some(mapping); 1126 1127 Ok(()) 1128 } 1129 1130 fn version(&self, data: UserSlice) -> Result { 1131 data.writer().write(&BinderVersion::current()) 1132 } 1133 1134 pub(crate) fn register_thread(&self) -> bool { 1135 self.inner.lock().register_thread() 1136 } 1137 1138 fn remove_thread(&self, thread: Arc<Thread>) { 1139 self.inner.lock().threads.remove(&thread.id); 1140 thread.release(); 1141 } 1142 1143 fn set_max_threads(&self, max: u32) { 1144 self.inner.lock().max_threads = max; 1145 } 1146 1147 fn set_oneway_spam_detection_enabled(&self, enabled: u32) { 1148 self.inner.lock().oneway_spam_detection_enabled = enabled != 0; 1149 } 1150 1151 pub(crate) fn is_oneway_spam_detection_enabled(&self) -> bool { 1152 self.inner.lock().oneway_spam_detection_enabled 1153 } 1154 1155 fn get_node_debug_info(&self, data: UserSlice) -> Result { 1156 let (mut reader, mut writer) = data.reader_writer(); 1157 1158 // Read the starting point. 1159 let ptr = reader.read::<BinderNodeDebugInfo>()?.ptr; 1160 let mut out = BinderNodeDebugInfo::default(); 1161 1162 { 1163 let inner = self.inner.lock(); 1164 for (node_ptr, node) in &inner.nodes { 1165 if *node_ptr > ptr { 1166 node.populate_debug_info(&mut out, &inner); 1167 break; 1168 } 1169 } 1170 } 1171 1172 writer.write(&out) 1173 } 1174 1175 fn get_node_info_from_ref(&self, data: UserSlice) -> Result { 1176 let (mut reader, mut writer) = data.reader_writer(); 1177 let mut out = reader.read::<BinderNodeInfoForRef>()?; 1178 1179 if out.strong_count != 0 1180 || out.weak_count != 0 1181 || out.reserved1 != 0 1182 || out.reserved2 != 0 1183 || out.reserved3 != 0 1184 { 1185 return Err(EINVAL); 1186 } 1187 1188 // Only the context manager is allowed to use this ioctl. 1189 if !self.inner.lock().is_manager { 1190 return Err(EPERM); 1191 } 1192 1193 { 1194 let mut node_refs = self.node_refs.lock(); 1195 let node_info = node_refs.by_handle.get_mut(&out.handle).ok_or(ENOENT)?; 1196 let node_ref = node_info.node_ref(); 1197 let owner_inner = node_ref.node.owner.inner.lock(); 1198 node_ref.node.populate_counts(&mut out, &owner_inner); 1199 } 1200 1201 // Write the result back. 1202 writer.write(&out) 1203 } 1204 1205 pub(crate) fn needs_thread(&self) -> bool { 1206 let mut inner = self.inner.lock(); 1207 let ret = inner.requested_thread_count == 0 1208 && inner.ready_threads.is_empty() 1209 && inner.started_thread_count < inner.max_threads; 1210 if ret { 1211 inner.requested_thread_count += 1 1212 } 1213 ret 1214 } 1215 1216 pub(crate) fn request_death( 1217 self: &Arc<Self>, 1218 reader: &mut UserSliceReader, 1219 thread: &Thread, 1220 ) -> Result { 1221 let handle: u32 = reader.read()?; 1222 let cookie: u64 = reader.read()?; 1223 1224 // Queue BR_ERROR if we can't allocate memory for the death notification. 1225 let death = UniqueArc::new_uninit(GFP_KERNEL).inspect_err(|_| { 1226 thread.push_return_work(BR_ERROR); 1227 })?; 1228 let mut refs = self.node_refs.lock(); 1229 let Some(info) = refs.by_handle.get_mut(&handle) else { 1230 pr_warn!("BC_REQUEST_DEATH_NOTIFICATION invalid ref {handle}\n"); 1231 return Ok(()); 1232 }; 1233 1234 // Nothing to do if there is already a death notification request for this handle. 1235 if info.death().is_some() { 1236 pr_warn!("BC_REQUEST_DEATH_NOTIFICATION death notification already set\n"); 1237 return Ok(()); 1238 } 1239 1240 let death = { 1241 let death_init = NodeDeath::new(info.node_ref().node.clone(), self.clone(), cookie); 1242 match death.pin_init_with(death_init) { 1243 Ok(death) => death, 1244 // error is infallible 1245 Err(err) => match err {}, 1246 } 1247 }; 1248 1249 // Register the death notification. 1250 { 1251 let owner = info.node_ref2().node.owner.clone(); 1252 let mut owner_inner = owner.inner.lock(); 1253 if owner_inner.is_dead { 1254 let death = Arc::from(death); 1255 *info.death() = Some(death.clone()); 1256 drop(owner_inner); 1257 death.set_dead(); 1258 } else { 1259 let death = ListArc::from(death); 1260 *info.death() = Some(death.clone_arc()); 1261 info.node_ref().node.add_death(death, &mut owner_inner); 1262 } 1263 } 1264 Ok(()) 1265 } 1266 1267 pub(crate) fn clear_death(&self, reader: &mut UserSliceReader, thread: &Thread) -> Result { 1268 let handle: u32 = reader.read()?; 1269 let cookie: u64 = reader.read()?; 1270 1271 let mut refs = self.node_refs.lock(); 1272 let Some(info) = refs.by_handle.get_mut(&handle) else { 1273 pr_warn!("BC_CLEAR_DEATH_NOTIFICATION invalid ref {handle}\n"); 1274 return Ok(()); 1275 }; 1276 1277 let Some(death) = info.death().take() else { 1278 pr_warn!("BC_CLEAR_DEATH_NOTIFICATION death notification not active\n"); 1279 return Ok(()); 1280 }; 1281 if death.cookie != cookie { 1282 *info.death() = Some(death); 1283 pr_warn!("BC_CLEAR_DEATH_NOTIFICATION death notification cookie mismatch\n"); 1284 return Ok(()); 1285 } 1286 1287 // Update state and determine if we need to queue a work item. We only need to do it when 1288 // the node is not dead or if the user already completed the death notification. 1289 if death.set_cleared(false) { 1290 if let Some(death) = ListArc::try_from_arc_or_drop(death) { 1291 let _ = thread.push_work_if_looper(death); 1292 } 1293 } 1294 1295 Ok(()) 1296 } 1297 1298 pub(crate) fn dead_binder_done(&self, cookie: u64, thread: &Thread) { 1299 if let Some(death) = self.inner.lock().pull_delivered_death(cookie) { 1300 death.set_notification_done(thread); 1301 } 1302 } 1303 1304 /// Locks the spinlock and move the `nodes` rbtree out. 1305 /// 1306 /// This allows you to iterate through `nodes` while also allowing you to give other parts of 1307 /// the codebase exclusive access to `ProcessInner`. 1308 pub(crate) fn lock_with_nodes(&self) -> WithNodes<'_> { 1309 let mut inner = self.inner.lock(); 1310 WithNodes { 1311 nodes: take(&mut inner.nodes), 1312 inner, 1313 } 1314 } 1315 1316 fn deferred_flush(&self) { 1317 let inner = self.inner.lock(); 1318 for thread in inner.threads.values() { 1319 thread.exit_looper(); 1320 } 1321 } 1322 1323 fn deferred_release(self: Arc<Self>) { 1324 let is_manager = { 1325 let mut inner = self.inner.lock(); 1326 inner.is_dead = true; 1327 inner.is_frozen = IsFrozen::No; 1328 inner.sync_recv = false; 1329 inner.async_recv = false; 1330 inner.is_manager 1331 }; 1332 1333 if is_manager { 1334 self.ctx.unset_manager_node(); 1335 } 1336 1337 self.ctx.deregister_process(&self); 1338 1339 let binderfs_file = self.inner.lock().binderfs_file.take(); 1340 drop(binderfs_file); 1341 1342 // Release threads. 1343 let threads = { 1344 let mut inner = self.inner.lock(); 1345 let threads = take(&mut inner.threads); 1346 let ready = take(&mut inner.ready_threads); 1347 drop(inner); 1348 drop(ready); 1349 1350 for thread in threads.values() { 1351 thread.release(); 1352 } 1353 threads 1354 }; 1355 1356 // Release nodes. 1357 { 1358 while let Some(node) = { 1359 let mut lock = self.inner.lock(); 1360 lock.nodes.cursor_front_mut().map(|c| c.remove_current().1) 1361 } { 1362 node.to_key_value().1.release(); 1363 } 1364 } 1365 1366 // Clean up death listeners and remove nodes from external node info lists. 1367 for info in self.node_refs.lock().by_handle.values_mut() { 1368 // SAFETY: We are removing the `NodeRefInfo` from the right node. 1369 unsafe { info.node_ref2().node.remove_node_info(info) }; 1370 1371 // Remove all death notifications from the nodes (that belong to a different process). 1372 let death = if let Some(existing) = info.death().take() { 1373 existing 1374 } else { 1375 continue; 1376 }; 1377 death.set_cleared(false); 1378 } 1379 1380 // Clean up freeze listeners. 1381 let freeze_listeners = take(&mut self.node_refs.lock().freeze_listeners); 1382 for listener in freeze_listeners.values() { 1383 listener.on_process_exit(&self); 1384 } 1385 drop(freeze_listeners); 1386 1387 // Release refs on foreign nodes. 1388 { 1389 let mut refs = self.node_refs.lock(); 1390 let by_handle = take(&mut refs.by_handle); 1391 let by_node = take(&mut refs.by_node); 1392 drop(refs); 1393 drop(by_node); 1394 drop(by_handle); 1395 } 1396 1397 // Cancel all pending work items. 1398 while let Some(work) = self.get_work() { 1399 work.into_arc().cancel(); 1400 } 1401 1402 // Clear delivered_deaths list. 1403 // 1404 // Scope ensures that MutexGuard is dropped while executing the body. 1405 while let Some(delivered_death) = { self.inner.lock().delivered_deaths.pop_front() } { 1406 drop(delivered_death); 1407 } 1408 1409 // Free any resources kept alive by allocated buffers. 1410 let omapping = self.inner.lock().mapping.take(); 1411 if let Some(mut mapping) = omapping { 1412 let address = mapping.address; 1413 mapping 1414 .alloc 1415 .take_for_each(|offset, size, debug_id, odata| { 1416 let ptr = offset + address; 1417 let mut alloc = 1418 Allocation::new(self.clone(), debug_id, offset, size, ptr, false); 1419 if let Some(data) = odata { 1420 alloc.set_info(data); 1421 } 1422 drop(alloc) 1423 }); 1424 } 1425 1426 // calls to synchronize_rcu() in thread drop will happen here 1427 drop(threads); 1428 } 1429 1430 pub(crate) fn drop_outstanding_txn(&self) { 1431 let wake = { 1432 let mut inner = self.inner.lock(); 1433 if inner.outstanding_txns == 0 { 1434 pr_err!("outstanding_txns underflow"); 1435 return; 1436 } 1437 inner.outstanding_txns -= 1; 1438 inner.is_frozen.is_frozen() && inner.outstanding_txns == 0 1439 }; 1440 1441 if wake { 1442 self.freeze_wait.notify_all(); 1443 } 1444 } 1445 1446 pub(crate) fn ioctl_freeze(&self, info: &BinderFreezeInfo) -> Result { 1447 if info.enable == 0 { 1448 let msgs = self.prepare_freeze_messages()?; 1449 let mut inner = self.inner.lock(); 1450 inner.sync_recv = false; 1451 inner.async_recv = false; 1452 inner.is_frozen = IsFrozen::No; 1453 drop(inner); 1454 msgs.send_messages(); 1455 return Ok(()); 1456 } 1457 1458 let mut inner = self.inner.lock(); 1459 inner.sync_recv = false; 1460 inner.async_recv = false; 1461 inner.is_frozen = IsFrozen::InProgress; 1462 1463 if info.timeout_ms > 0 { 1464 let mut jiffies = kernel::time::msecs_to_jiffies(info.timeout_ms); 1465 while jiffies > 0 { 1466 if inner.outstanding_txns == 0 { 1467 break; 1468 } 1469 1470 match self 1471 .freeze_wait 1472 .wait_interruptible_timeout(&mut inner, jiffies) 1473 { 1474 CondVarTimeoutResult::Signal { .. } => { 1475 inner.is_frozen = IsFrozen::No; 1476 return Err(ERESTARTSYS); 1477 } 1478 CondVarTimeoutResult::Woken { jiffies: remaining } => { 1479 jiffies = remaining; 1480 } 1481 CondVarTimeoutResult::Timeout => { 1482 jiffies = 0; 1483 } 1484 } 1485 } 1486 } 1487 1488 if inner.txns_pending_locked() { 1489 inner.is_frozen = IsFrozen::No; 1490 Err(EAGAIN) 1491 } else { 1492 drop(inner); 1493 match self.prepare_freeze_messages() { 1494 Ok(batch) => { 1495 self.inner.lock().is_frozen = IsFrozen::Yes; 1496 batch.send_messages(); 1497 Ok(()) 1498 } 1499 Err(kernel::alloc::AllocError) => { 1500 self.inner.lock().is_frozen = IsFrozen::No; 1501 Err(ENOMEM) 1502 } 1503 } 1504 } 1505 } 1506 } 1507 1508 fn get_frozen_status(data: UserSlice) -> Result { 1509 let (mut reader, mut writer) = data.reader_writer(); 1510 1511 let mut info = reader.read::<BinderFrozenStatusInfo>()?; 1512 info.sync_recv = 0; 1513 info.async_recv = 0; 1514 let mut found = false; 1515 1516 for ctx in crate::context::get_all_contexts()? { 1517 ctx.for_each_proc(|proc| { 1518 if proc.task.pid() == info.pid as _ { 1519 found = true; 1520 let inner = proc.inner.lock(); 1521 let txns_pending = inner.txns_pending_locked(); 1522 info.async_recv |= inner.async_recv as u32; 1523 info.sync_recv |= inner.sync_recv as u32; 1524 info.sync_recv |= (txns_pending as u32) << 1; 1525 } 1526 }); 1527 } 1528 1529 if found { 1530 writer.write(&info)?; 1531 Ok(()) 1532 } else { 1533 Err(EINVAL) 1534 } 1535 } 1536 1537 fn ioctl_freeze(reader: &mut UserSliceReader) -> Result { 1538 let info = reader.read::<BinderFreezeInfo>()?; 1539 1540 // Very unlikely for there to be more than 3, since a process normally uses at most binder and 1541 // hwbinder. 1542 let mut procs = KVec::with_capacity(3, GFP_KERNEL)?; 1543 1544 let ctxs = crate::context::get_all_contexts()?; 1545 for ctx in ctxs { 1546 for proc in ctx.get_procs_with_pid(info.pid as i32)? { 1547 procs.push(proc, GFP_KERNEL)?; 1548 } 1549 } 1550 1551 for proc in procs { 1552 proc.ioctl_freeze(&info)?; 1553 } 1554 Ok(()) 1555 } 1556 1557 /// The ioctl handler. 1558 impl Process { 1559 /// Ioctls that are write-only from the perspective of userspace. 1560 /// 1561 /// The kernel will only read from the pointer that userspace provided to us. 1562 fn ioctl_write_only( 1563 this: ArcBorrow<'_, Process>, 1564 _file: &File, 1565 cmd: u32, 1566 reader: &mut UserSliceReader, 1567 ) -> Result { 1568 let thread = this.get_current_thread()?; 1569 match cmd { 1570 uapi::BINDER_SET_MAX_THREADS => this.set_max_threads(reader.read()?), 1571 uapi::BINDER_THREAD_EXIT => this.remove_thread(thread), 1572 uapi::BINDER_SET_CONTEXT_MGR => this.set_as_manager(None, &thread)?, 1573 uapi::BINDER_SET_CONTEXT_MGR_EXT => { 1574 this.set_as_manager(Some(reader.read()?), &thread)? 1575 } 1576 uapi::BINDER_ENABLE_ONEWAY_SPAM_DETECTION => { 1577 this.set_oneway_spam_detection_enabled(reader.read()?) 1578 } 1579 uapi::BINDER_FREEZE => ioctl_freeze(reader)?, 1580 _ => return Err(EINVAL), 1581 } 1582 Ok(()) 1583 } 1584 1585 /// Ioctls that are read/write from the perspective of userspace. 1586 /// 1587 /// The kernel will both read from and write to the pointer that userspace provided to us. 1588 fn ioctl_write_read( 1589 this: ArcBorrow<'_, Process>, 1590 file: &File, 1591 cmd: u32, 1592 data: UserSlice, 1593 ) -> Result { 1594 let thread = this.get_current_thread()?; 1595 let blocking = (file.flags() & file::flags::O_NONBLOCK) == 0; 1596 match cmd { 1597 uapi::BINDER_WRITE_READ => thread.write_read(data, blocking)?, 1598 uapi::BINDER_GET_NODE_DEBUG_INFO => this.get_node_debug_info(data)?, 1599 uapi::BINDER_GET_NODE_INFO_FOR_REF => this.get_node_info_from_ref(data)?, 1600 uapi::BINDER_VERSION => this.version(data)?, 1601 uapi::BINDER_GET_FROZEN_INFO => get_frozen_status(data)?, 1602 uapi::BINDER_GET_EXTENDED_ERROR => thread.get_extended_error(data)?, 1603 _ => return Err(EINVAL), 1604 } 1605 Ok(()) 1606 } 1607 } 1608 1609 /// The file operations supported by `Process`. 1610 impl Process { 1611 pub(crate) fn open(ctx: ArcBorrow<'_, Context>, file: &File) -> Result<Arc<Process>> { 1612 Self::new(ctx.into(), ARef::from(file.cred())) 1613 } 1614 1615 pub(crate) fn release(this: Arc<Process>, _file: &File) { 1616 let binderfs_file; 1617 let should_schedule; 1618 { 1619 let mut inner = this.inner.lock(); 1620 should_schedule = inner.defer_work == 0; 1621 inner.defer_work |= PROC_DEFER_RELEASE; 1622 binderfs_file = inner.binderfs_file.take(); 1623 } 1624 1625 if should_schedule { 1626 // Ignore failures to schedule to the workqueue. Those just mean that we're already 1627 // scheduled for execution. 1628 let _ = workqueue::system().enqueue(this); 1629 } 1630 1631 drop(binderfs_file); 1632 } 1633 1634 pub(crate) fn flush(this: ArcBorrow<'_, Process>) -> Result { 1635 let should_schedule; 1636 { 1637 let mut inner = this.inner.lock(); 1638 should_schedule = inner.defer_work == 0; 1639 inner.defer_work |= PROC_DEFER_FLUSH; 1640 } 1641 1642 if should_schedule { 1643 // Ignore failures to schedule to the workqueue. Those just mean that we're already 1644 // scheduled for execution. 1645 let _ = workqueue::system().enqueue(Arc::from(this)); 1646 } 1647 Ok(()) 1648 } 1649 1650 pub(crate) fn ioctl(this: ArcBorrow<'_, Process>, file: &File, cmd: u32, arg: usize) -> Result { 1651 use kernel::ioctl::{_IOC_DIR, _IOC_SIZE}; 1652 use kernel::uapi::{_IOC_READ, _IOC_WRITE}; 1653 1654 crate::trace::trace_ioctl(cmd, arg); 1655 1656 let user_slice = UserSlice::new(UserPtr::from_addr(arg), _IOC_SIZE(cmd)); 1657 1658 const _IOC_READ_WRITE: u32 = _IOC_READ | _IOC_WRITE; 1659 1660 match _IOC_DIR(cmd) { 1661 _IOC_WRITE => Self::ioctl_write_only(this, file, cmd, &mut user_slice.reader()), 1662 _IOC_READ_WRITE => Self::ioctl_write_read(this, file, cmd, user_slice), 1663 _ => Err(EINVAL), 1664 } 1665 } 1666 1667 pub(crate) fn mmap( 1668 this: ArcBorrow<'_, Process>, 1669 _file: &File, 1670 vma: &mm::virt::VmaNew, 1671 ) -> Result { 1672 // We don't allow mmap to be used in a different process. 1673 if !core::ptr::eq(kernel::current!().group_leader(), &*this.task) { 1674 return Err(EINVAL); 1675 } 1676 if vma.start() == 0 { 1677 return Err(EINVAL); 1678 } 1679 1680 vma.try_clear_maywrite().map_err(|_| EPERM)?; 1681 vma.set_dontcopy(); 1682 vma.set_mixedmap(); 1683 1684 // TODO: Set ops. We need to learn when the user unmaps so that we can stop using it. 1685 this.create_mapping(vma) 1686 } 1687 1688 pub(crate) fn poll( 1689 this: ArcBorrow<'_, Process>, 1690 file: &File, 1691 table: PollTable<'_>, 1692 ) -> Result<u32> { 1693 let thread = this.get_current_thread()?; 1694 let (from_proc, mut mask) = thread.poll(file, table); 1695 if mask == 0 && from_proc && !this.inner.lock().work.is_empty() { 1696 mask |= bindings::POLLIN; 1697 } 1698 Ok(mask) 1699 } 1700 } 1701 1702 /// Represents that a thread has registered with the `ready_threads` list of its process. 1703 /// 1704 /// The destructor of this type will unregister the thread from the list of ready threads. 1705 pub(crate) struct Registration<'a> { 1706 thread: &'a Arc<Thread>, 1707 } 1708 1709 impl<'a> Registration<'a> { 1710 fn new(thread: &'a Arc<Thread>, guard: &mut Guard<'_, ProcessInner, SpinLockBackend>) -> Self { 1711 assert!(core::ptr::eq(&thread.process.inner, guard.lock_ref())); 1712 // INVARIANT: We are pushing this thread to the right `ready_threads` list. 1713 if let Ok(list_arc) = ListArc::try_from_arc(thread.clone()) { 1714 guard.ready_threads.push_front(list_arc); 1715 } else { 1716 // It is an error to hit this branch, and it should not be reachable. We try to do 1717 // something reasonable when the failure path happens. Most likely, the thread in 1718 // question will sleep forever. 1719 pr_err!("Same thread registered with `ready_threads` twice."); 1720 } 1721 Self { thread } 1722 } 1723 } 1724 1725 impl Drop for Registration<'_> { 1726 fn drop(&mut self) { 1727 let mut inner = self.thread.process.inner.lock(); 1728 // SAFETY: The thread has the invariant that we never push it to any other linked list than 1729 // the `ready_threads` list of its parent process. Therefore, the thread is either in that 1730 // list, or in no list. 1731 unsafe { inner.ready_threads.remove(self.thread) }; 1732 } 1733 } 1734 1735 pub(crate) struct WithNodes<'a> { 1736 pub(crate) inner: Guard<'a, ProcessInner, SpinLockBackend>, 1737 pub(crate) nodes: RBTree<u64, DArc<Node>>, 1738 } 1739 1740 impl Drop for WithNodes<'_> { 1741 fn drop(&mut self) { 1742 core::mem::swap(&mut self.nodes, &mut self.inner.nodes); 1743 if self.nodes.iter().next().is_some() { 1744 pr_err!("nodes array was modified while using lock_with_nodes\n"); 1745 } 1746 } 1747 } 1748 1749 pub(crate) enum GetWorkOrRegister<'a> { 1750 Work(DLArc<dyn DeliverToRead>), 1751 Register(Registration<'a>), 1752 } 1753